Hi, how I can enable extended log of web filtering ?
I got Fortigate 60D (firmware 5.2.5)
I enable webfilter
I add webfillter monitor-all to interface
But I do not have UTM under Log & Report :(
I try google and CLI
# config dlp sensor # edit [Name of Profil] # set extended-utm-log [enable | disable] # set dlp-log [enable | disable] # set nac-quar-log [enable | disable] # end
BUT :
# config webfilter profile # edit [Name of Profil] # set extended-utm-log [enable | disable]
I get error -61 after this command. :(
Also I can't change profile under web filter in security profiles :(
Please advise..
Thanks
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi
under FortiOS 5.2.x and above UTM Log is by standard enabled and you do not have to configure anything. This can also be tested in following way:
# diagnose log test
Log-out from your Web Gui and Log-In again and you will see that under log you have now the UTM logs for each UTM features. If you like to log everything based on webfilter do following:
--> Check that all categories which are allowed are on action "monitor" (which means actually allow but log)
--> All other categories which are not allow set to block or whatever
After that go on CLI and edit your corresponding profile for WebFilter and use/check the commands:
config webfilter profile edit [Name of your profile] set log-all-url enable set web-content-log enable set web-filter-activex-log enable set web-filter-command-block-log enable set web-filter-cookie-log enable set web-filter-applet-log enable set web-filter-jscript-log enable set web-filter-js-log enable set web-filter-vbs-log enable set web-filter-unknown-log enable set web-filter-referer-log enable set web-filter-cookie-removal-log enable set web-url-log enable set web-invalid-domain-log enable set web-ftgd-err-log enable set web-ftgd-quota-usage enable end
After that check the firewall policy which is used for your WebFilter HTTP/HTTPS based traffic that log is enabled "all sessions".
Thats it.....make traffic and wait some 2/3 seconds...sometimes if log does not exist under Log for WebFilter you have to logout and login again or do a refresh in your browser.
hope this helps
have fun
Andrea
Hi
ok I see you have actually no clou what your are using! Sorry to say this but "deep-inspection" is based on man in the middle technolgy this means breaking-out https traffic and looking into the traffic. For this the FGT must be playing man in the middle. From this point of view that on your site nothing is working as expected from beggining again and please copy/paste the commands into the console. For some commands you have to edit the profile name from this point of view look for the positions [Name of Profile] and replace the position with the name of the profile:
FULL LOG CONFIG WITH FILTER:
*************************
config log setting set resolve-ip enable set resolve-port enable set log-user-in-upper disable set fwpolicy-implicit-log enable set fwpolicy6-implicit-log disable set log-invalid-packet disable set local-in-allow enable set local-in-deny-unicast disable set local-in-deny-broadcast disable set local-out disable set daemon-log disable set neighbor-event disable set brief-traffic-format disable set user-anonymize disable end
config log gui-display set resolve-hosts enable set resolve-apps enable set fortiview-unscanned-apps enable set fortiview-local-traffic enable set location memory end
config log memory setting set status enable set diskfull overwrite end # # If memory log is used set max-size as # warning threshold. # # For "max-size" value "bytes" are used. # # config log memory global-setting # set max-size 65536 # set full-final-warning-threshold 95 # set full-first-warning-threshold 75 # set full-second-warning-threshold 90 # end config log memory filter set severity information set forward-traffic enable set local-traffic enable set multicast-traffic enable set sniffer-traffic enable set anomaly enable set netscan-discovery enable set netscan-vulnerability enable set voip enable #set dlp-archive enable end
config log eventfilter set event enable set router enable set vpn enable set user enable set router enable set wireless-activity enable set wan-opt enable set endpoint enable set ha enable end config log threat-weight set status enable end
CONFIGURE A PROTOCOL PROFILE
****************************
config firewall profile-protocol-options edit [Name of your Profile] set comment "Unencrypted default profile" set oversize-log enable set switching-protocols-log enable config http set ports 80 set status enable set inspect-all disable set options clientcomfort set comfort-interval 10 set comfort-amount 1 set fortinet-bar disable set streaming-content-bypass enable set switching-protocols bypass set oversize-limit 10 set uncompressed-oversize-limit 10 set uncompressed-nest-limit 12 set scan-bzip2 disable set block-page-status-code 200 set retry-count 0 end config ftp set ports 21 set status disable set inspect-all disable set options clientcomfort set comfort-interval 10 set comfort-amount 1 set oversize-limit 10 set uncompressed-oversize-limit 10 set uncompressed-nest-limit 12 set scan-bzip2 disable end config imap set ports 143 set status disable set inspect-all disable set options fragmail set oversize-limit 10 set uncompressed-oversize-limit 10 set uncompressed-nest-limit 12 set scan-bzip2 disable end config mapi set ports 135 set status disable set options fragmail set oversize-limit 10 set uncompressed-oversize-limit 10 set uncompressed-nest-limit 12 set scan-bzip2 disable end config pop3 set ports 110 set status disable set inspect-all disable set options fragmail set oversize-limit 10 set uncompressed-oversize-limit 10 set uncompressed-nest-limit 12 set scan-bzip2 disable end config smtp set ports 25 set status disable set inspect-all disable set options fragmail set oversize-limit 10 set uncompressed-oversize-limit 10 set uncompressed-nest-limit 12 set scan-bzip2 disable set server-busy disable end config nntp set ports 119 set status disable set inspect-all disable set oversize-limit 10 set uncompressed-oversize-limit 10 set uncompressed-nest-limit 12 set scan-bzip2 disable end config dns set ports 53 set status enable end config mail-signature set status disable end end
CONFIGURE A SSH-SSL PROTOCOL PROFILE
************************************
config firewall ssl-ssh-profile edit [Name of your Profile] set comment "Encrypted URL Scan Only default profile" set server-cert-mode re-sign set caname Fortinet_CA_SSLProxy set certname Fortinet_CA_SSLProxy set ssl-invalid-server-cert-log enable config ssl set inspect-all disable set allow-invalid-server-cert enable set ssl-ca-list disable end config https set ports 443 set status certificate-inspection set client-cert-request bypass set unsupported-ssl bypass set allow-invalid-server-cert enable set ssl-ca-list disable end config ftps set ports 990 set status disable set client-cert-request bypass set unsupported-ssl bypass set allow-invalid-server-cert enable set ssl-ca-list disable end config imaps set ports 993 set status disable set client-cert-request inspect set unsupported-ssl bypass set allow-invalid-server-cert enable set ssl-ca-list disable end config pop3s set ports 995 set status disable set client-cert-request inspect set unsupported-ssl bypass set allow-invalid-server-cert enable set ssl-ca-list disable end config smtps set ports 465 set status disable set client-cert-request inspect set unsupported-ssl bypass set allow-invalid-server-cert enable set ssl-ca-list disable end end
Sorry here is the rest of the commands this forum stuff has some limitations:
CONFIGURE A SSH-SSL PROTOCOL PROFILE
************************************
config firewall ssl-ssh-profile edit [Name of your Profile] set comment "Encrypted URL Scan Only default profile" set server-cert-mode re-sign set caname Fortinet_CA_SSLProxy set certname Fortinet_CA_SSLProxy set ssl-invalid-server-cert-log enable config ssl set inspect-all disable set allow-invalid-server-cert enable set ssl-ca-list disable end config https set ports 443 set status certificate-inspection set client-cert-request bypass set unsupported-ssl bypass set allow-invalid-server-cert enable set ssl-ca-list disable end config ftps set ports 990 set status disable set client-cert-request bypass set unsupported-ssl bypass set allow-invalid-server-cert enable set ssl-ca-list disable end config imaps set ports 993 set status disable set client-cert-request inspect set unsupported-ssl bypass set allow-invalid-server-cert enable set ssl-ca-list disable end config pop3s set ports 995 set status disable set client-cert-request inspect set unsupported-ssl bypass set allow-invalid-server-cert enable set ssl-ca-list disable end config smtps set ports 465 set status disable set client-cert-request inspect set unsupported-ssl bypass set allow-invalid-server-cert enable set ssl-ca-list disable end end
CONFIGURE WEBFILTER OPTIONS
***************************
config webfilter profile edit [Name of your Profile] set comment "Webfilter default profile" set inspection-mode proxy set https-replacemsg disable config web set safe-search url set log-search enable end config ftgd-wf set max-quota-timeout 300 set rate-image-urls enable set rate-javascript-urls enable set rate-css-urls enable set rate-crl-urls enable end set log-all-url enable set web-content-log enable set web-filter-activex-log enable set web-filter-command-block-log enable set web-filter-cookie-log enable set web-filter-applet-log enable set web-filter-jscript-log enable set web-filter-js-log enable set web-filter-vbs-log enable set web-filter-unknown-log enable set web-filter-referer-log enable set web-filter-cookie-removal-log enable set web-url-log enable set web-invalid-domain-log enable set web-ftgd-err-log enable set web-ftgd-quota-usage enable end
CONTENT FILTER FOR BYPASS AV
***************************
config webfilter content-header edit 1 set comment "exempt from antivirus scanning" config entries edit "video\\/.*" set action exempt next edit "audio\\/.*" set action exempt next end set name "exempt-antivirus-scanning" next end config webfilter profile edit [Name of your Profile] config web set content-header-list 1 end next end
URL FILTER FOR WEBFILTER TO BYPASS UTM FEATURES
********************************************
config webfilter urlfilter edit 1 set name "urlfilter-bypass-av" set comment "URL Filter default profile" config entries edit 1 set url "*.apple.com" set type wildcard #set type simple set action exempt #set exempt av web-content activex-java-cookie dlp fortiguard range-block all next edit 2 set url "*.itunes.apple.com" set type wildcard #set type simple set action exempt #set exempt av web-content activex-java-cookie dlp fortiguard range-block all next edit 3 set url "*.phobos.apple.com" set type wildcard #set type simple set action exempt #set exempt av web-content activex-java-cookie dlp fortiguard range-block all next edit 4 set url "*.apple.com.edgesuite.net" set type wildcard #set type simple set action exempt #set exempt av web-content activex-java-cookie dlp fortiguard range-block all next edit 5 set url "*.windowsupdate.com" set type wildcard #set type simple set action exempt #set exempt av web-content activex-java-cookie dlp fortiguard range-block all next edit 6 set url "*.download.windowsupdate.com" set type wildcard #set type simple set action exempt #set exempt av web-content activex-java-cookie dlp fortiguard range-block all next edit 7 set url "*.stats.update.microsoft.com" set type wildcard #set type simple set action exempt #set exempt av web-content activex-java-cookie dlp fortiguard range-block all next edit 8 set url "*.msftncsi.com" set type wildcard #set type simple set action exempt #set exempt av web-content activex-java-cookie dlp fortiguard range-block all next edit 9 set url "*.microsoft.com" set type wildcard #set type simple set action exempt #set exempt av web-content activex-java-cookie dlp fortiguard range-block all next end next end
config webfilter profile edit [Name of your Profile] config web set urlfilter-table 1 end next end
Now go to your corresponding Firewall Policy Rule and add above the same rule as you delivered to me. Do not use the same rule as you delivered in printscreen really create another one above the existing one and do following:
--> Add service http as https (nothing else and DO NOT USE service ALL)
--> Add protocol option profile (the name of the profile you configured above with the commands "profile-protocol-options")
--> Add ssh-ssl option profile (the name of the profile you configured above with the commands "ssl-ssh-profile")
--> Add webfilter profile (Your WebFilter Profile Name which you used above with the commands "webfilter profile")
--> The rest of the firewall policy is as your delivered in the printscreen
Now test and check if you request is hiting the right new policy which is above your current policy.
have fun
Andrea
Hi
again me :)
What you have now is HTTP WebFiler and HTTPS with URL Scan Only or also called Certificate Inspection. This means the FGT does not play man in the middle instead for HTTPS the certification CN (Common Name) is used to evaluate the categorisation of the WebFilter stuff etc. Do not add a AV Profile to this http/https rule because AV can not be done on HTTPS without deep-inspection. if you like deep-inspection this is another step but please do now this what I delivered.
Andrea
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.